Newsletter

The CLOUD Act and its consequences

Earlier this year, the Clarifying Lawful Overseas Use of Data (CLOUD) Act entered into force. It amended the Stored Communications Act (SCA), which already allowed United States federal law enforcement to request, through warrants, data that is stored on U.S. soil by U.S. technology companies. Right now – as a result of the Cloud Act – U.S. authorities have the possibility to request data that is stored overseas by these U.S. companies as well. What are the consequences of the CLOUD Act for European and U.S. companies? What should they for example do when they receive a warrant or subpoena which requests data that is stored in the European Union?

Before we assess what the consequences of the CLOUD Act for U.S. and EU companies are, we will take a brief look at the cause and essence of the Act.

The cause of the CLOUD Act: Microsoft vs. The U.S.

In the Microsoft Corp vs the United Statescase, the Federal Bureau of Investigation (FBI) requested data concerning suspects in a drug trafficking investigation, from Microsoft. Microsoft handed over the data that was stored in the U.S., but refused to hand over the data (e-mails) that was stored on their Irish servers. Microsoft claimed that the SCA did not apply to data stored outside of the United States. The matter ended up in the Supreme Court. Before the Court was able to determine a judgment, the CLOUD Act was passed quite suddenly in an ‘omnibus’ bill. The enactment of this Act made the, still to be made, decision of the Supreme Court irrelevant.

The CLOUD Act

As previously stated, the CLOUD Act amends the SCA in a way that allows authorities to request overseas data as well, under certain circumstances. This is possible when a technology company is located in the United States and has ‘’possession, custody, or control’’ over information regarding a customer, regardless of where that information is stored. The authorities need a search warrant from a U.S. judge, which is granted when there is a ‘probable cause’ that the information constitutes evidence for an ongoing investigation.

The company that receives the warrant has a chance to appeal under the CLOUD Act. The Act contains a ‘motion to quash or modify’ the legal process if the company believes that (1) the customer whose information is being requested is not a U.S. person and does not reside in the U.S. and (2) the required disclosure would create a material risk that the provider would violate the laws of a qualifyingforeign government. A country is qualified if it entered into an executive agreement on mutual data sharing with the U.S. This allows the country to request data stored in the U.S. as well. The U.S. did not conclude any executive agreements yet. Therefore, it is currently not possible to file a motion to quash or modify.

And even if it will be possible to file a motion to quash or modify in the future, it remains to be seen whether this will be successful. The CLOUD Act provides a list of factors that a judge should take into account when assessing this motion, which includes, among others, ‘’the interests of the United States’’ and ‘’the importance of the information to the investigation’’. This leaves a lot of discretion for a judge to deny a motion.

Conflict with the GDPR

For a successful motion to quash or modify there also needs to be ‘a material risk that the provider would violate the laws of a qualifying foreign government’. In the European Union, there might be a violation under the General Data Protection Regulation (‘GDPR’)if a provider has to comply with a U.S. court order. In its letter to the Supreme Court as an amicus curiae (a third party providing information to the Court) in the Microsoft case, the European Commission (‘EC’) explained the legal framework of data transfers outside the EU under the GDPR.

First, the Commission made clear that the GDPR requires executive agreements for transfers based on foreign court orders as well. Besides these agreements, the transfers of personal data are subject to several additional conditions. For example, there have to be suitable safeguards surrounding the transfer. The Commission did not take a stance on whether the SCA (and thus the CLOUD Act) contains suitable safeguards, but left this assessment to the U.S. Supreme Court.

The absence of executive agreements under the CLOUD Act does thus not only prevent providers to file a motion to quash or modify, but may also cause providers to violate EU law if they comply with a U.S Court order. If these agreements will be concluded at some point, the question remains whether the CLOUD Act contains ‘suitable safeguards’ and thus whether there is a violation of EU law if the data is transferred.

For the time being, another possibility to challenge a required disclosure of personal data stored overseas might be the ‘common law comity principles’. Under these principles companies do not have to meet U.S. legal obligations if they (1) conduct business in good faith; and (2) by meeting the obligations, there would be a serious chance that there will be sanctions for the company under the law of a foreign country. Although there is a clear violation of EU law at the moment, it is still uncertain if a challenge under these principles would currently prove to be successful.

U.S. companies or companies with subsidiaries in the U.S.: what to do?

Now for a more practical approach of the CLOUD Act: what should you do when a U.S. authority demands you to disclose personal data which is stored in the EU? First of all, we can make a distinction between companies that have their parent company or their subsidiary in the U.S.

If you have a subsidiary in the U.S., you do not have to be very concerned. To ensure the privacy of your (European) customers, make sure that your subsidiary has no possession, custody or control over the data that is stored in the EU. This makes the CLOUD Act non-applicable on this data.

The situation is a bit more complicated if your parent company is located in the U.S. If you store data in the EU, the CLOUD Act obviously applies to you. But even if one of your subsidiaries stores data in the EU, you may have to comply with requests of disclosure. As a parent company you have control over your subsidiaries, and thus over their data as well. As we have established before, you might be able to file a motion to quash or modify if an executive agreement is concluded with the country in which you have stored the personal data. This is not yet the case for every country, so your only possibility to challenge a court order at the moment is under the ‘common law comity principles’.

Although the chances of succeeding under these principles are still unknown, there are probably enough lawyers who want to represent your company bona fide (no cure no pay) in a unique case like this.

Legal ICT will keep you updated on any developments regarding the CLOUD Act if you subscribe to our newsletter here

There are 4 comments

I think you fundamentally misunderstand the reach of the Cloud Act. It does not apply broadly to “technology companies,” but rather to ISPs, messaging services, cloud service providers, and the like that provide internet and communication services to the public.

Thank you for your response. The word ‘technology companies’ was intended as a brief term which would include cloud service providers, such as Microsoft, communications providers, etc. This could have been specified further as you correctly point out, but this does not solve the potential conflict between the Cloud Act and the GDPR as described in the article.

So do I understand this correctly – currently, any EU cloud hosted data, of a US owned company, even if the subsidiary is registered as a wholly owned entity within an EU country, can have the data accessed under this law, if the US government so desires. Even if it is breach of GDPR? Does the US Gvt become open to penalties for breaching GDPR or the Company who had had their servers accessed? Even if they cant control it?

Thank you for your response. Indeed, under the Cloud Act it seems possible for US authorities such as the FBI to demand data from a company such as Microsoft, Google, Apple, Facebook, Amazon, etc, even if this data is stored in the EU, under responsibility of a subsidiary company established in the EU (e.g. Microsoft Ireland).

In practice, it will not be feasible to issue a fine or administrative penalty to a US authority for violation of the GDPR, as processing by judiciary and investigatory authorities is excluded from the (material) scope of the GDPR. Even if this had not been the case, it would be a difficult matter under international public law, as there would be a conflict of (territorial) sovereignty.

In principle, it seems possible for the competent EU data protection authority (DPA) to issue a fine to the EU-based entity (e.g. Microsoft Ireland), although it would be necessary for the DPA to find a specific GDPR violation by this company, and there could be a possibility for this company to argue that it would not be culpable for any breach, as it was forced to act by a foreign government.

One thing is certain: international jurisdictional and legal issues concerning privacy and security will remain an important (and highly contested) topic.